Security Mechanisms The European DataGrid Project Team

Security Tutorial - n° 2 Overview  User side n Getting a certificate n Becoming a member of the VO  Server side n Authentication / CA n Authorization / VO (with some examples)

Security Tutorial - n° 3 Authentication/Authorization  Authentication (CA Working Group) n 16 national certification authorities + CrossGrid CAs n policies & procedures  mutual trust n users identified by CA’s certificates  Authorization (Authorization Working Group) n Based on Virtual Organizations (VO). n Management tools for VO membership lists. n 6+2 Virtual Organizations VO’s ALICEEarth Obs. ATLASBiomedical CMSTestbed LHCbTutorial CA’s CERN CESNET CNRS (3) GermanGrid Grid-Ireland INFN NIKHEF NorduGrid LIP Russian DataGrid DATAGRID-ES GridPP US–DOE Root CA US-DOE Sub CA CrossGrid (*)

Security Tutorial - n° 4 Authentication Overview CA VO user service

Security Tutorial - n° 5 Certificate Request CA VO user service cert-request grid-cert-request once in every year

Security Tutorial - n° 6 Requesting a Certificate  grid-cert-request A certificate request and private key is being created. [...] Using configuration from /usr/local/grid/globus/etc/globus-user-ssleay.conf Generating a 1024 bit RSA private key [...] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner [...] Your private key is stored in.../.globus/userkey.pem Your request is stored in.../.globus/usercert_request.pem Please the certificate request to the CERN CA cat.../.globus/usercert_request.pem | mail Your certificate will be mailed to you within two working days.

Security Tutorial - n° 7 Request Details...  openssl req –in ~/.globus/usercert_request.pem –text Data: Version: 0 (0x0) Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerUser information Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):Public key 00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58: [...] Exponent: (0x10001) Signature Algorithm: md5WithRSAEncryptionSignature on the public 29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e: [...] key and user information -----BEGIN CERTIFICATE REQUEST-----PEM encoded request MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC [...] -----END CERTIFICATE REQUEST----- example

Security Tutorial - n° 8 Certificate Signing CA VO user service cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 9 Signing a Request Upon a certificate request from the user  checking the identity of the user (Registration Authority)  signing the request and sending back the result n openssl ca –in usercert_request.pem –out usercert.pem  if something goes wrong: revocation of a certificate -> CRL  the issued certificates are described in the Certificate Policy (CP)  the process is described in the Certificate Practice Statement (CPS) example

Security Tutorial - n° 10 Private Key  openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: Private-Key: (1024 bit) modulus: [...] publicExponent:..... (0x......) privateExponent: [...] prime1: [...]private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY-----PEM encoded private key -----END RSA PRIVATE KEY----- example

Security Tutorial - n° 11 Certificate Details 1.  openssl x509 –in ~/.globus/usercert.pem –text Certificate: Data: Version: 3 (0x2)X509.3 – with extensions Serial Number: 199 (0xc7) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, O=CERN, CN=CERN CA Issuer CA Validity Not Before: Jun 11 08:25: GMTlong term certificate Not After : Sep 29 11:22: GMT Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohneruser information Subject Public Key Info:[...]same as in the request example

Security Tutorial - n° 12 Certificate Details 2. X509v3 extensions: Netscape Base Url: Certificate extensions Netscape Cert Type: SSL Client, S/MIME, Object Signingclient/user certificate Netscape Comment: For DataGrid use only Netscape Revocation Url: informationhttp://home.cern.ch/globus/ca/cern.crl.pem Netscape CA Policy Url: informationhttp://home.cern.ch/globus/ca/CPS.pdf Signature Algorithm: md5WithRSAEncryption 54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13: [...]Signature on the information example

Security Tutorial - n° 13 Preparation for Registration CA VO user service cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 14 Registration/Authorization User registration in an EDG Virtual Organisation  convert your certificate: n openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’  import your certificate in your browser  sign the usage guidelines:  ask an account from your VO administrator by -> You are registered in the VO-LDAP server and have a user account.

Security Tutorial - n° 15 Registration CA VO user service registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing Usage guidelines Account Registration once for the lifetime of the VO (only the DN not the keys, so they may change)

Security Tutorial - n° 16 Starting a Session CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing every 12/24 hours

Security Tutorial - n° 17 Usage You must have a valid certificate from a trusted CA!  „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:  checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy  „logout”: grid-proxy-destroy -> use the grid services

Security Tutorial - n° 18 Proxy Certificate details  openssl x509 –in /tmp/x509up_u`id -u` -text Data: [...] Issuer: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerIssuer is the user not a CA Validity Not Before: Jul 22 09:44: GMTshort time certificate: 1 day Not After : Jul 22 21:49: GMT Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohner, CN=proxyextra tag: proxy Subject Public Key Info:new (shorter) key(s) Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:e9:7c:f4:d0:5d:8a:4c:91:8b:df:a7:16:78:1f: [...] Exponent: (0x10001) X509v3 extensions: [...] same as earlier Signature Algorithm: md5WithRSAEncryption [...] signed by the user example

Security Tutorial - n° 19 Certificate Request for a Host CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-request grid-cert-request once in every year

Security Tutorial - n° 20 Signing the Certificate CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request

Security Tutorial - n° 21 Configuration on the Server CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

Security Tutorial - n° 22 Service You must have the trusted CA certificates in files and the VO- LDAP server(s) URL configured.  registering a trusted CA n /etc/grid-security/certificates: hashed cert, crl and url  generating a gridmap file: mkgridmap n /etc/grid-security/gridmap: DN -> userid/gid mapping  generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) Start the service! info

Security Tutorial - n° 23 Service: CA Certificates  ls /etc/grid-security/certificates 0ed6468a.0 c35c d64ccb53.0 0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url 0ed6468a.r0 c35c1972.r0 d64ccb53.r0 0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy 16da cf4ba8c8.0 df312a4e.0 16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url 16da7552.r0 cf4ba8c8.r0 df312a4e.r0 16da7552.signing_policy cf4ba8c8.signing_policydf312a4e.signing_policy  cat c35c1972.crl_url example

Security Tutorial - n° 24 Service: a certificate  cat c35c1972.signing_policy # EACL CERN CA access_id_CA X509'/C=CH/O=CERN/CN=CERN CA' pos_rights globusCA:sign cond_subjects globus'"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'  openssl x509 -in c35c –text Issuer: C=CH, O=CERN, CN=CERN CA[...]the issuer and the subject are the same Subject: C=CH, O=CERN, CN=CERN CA [...] self signed certificate X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE [...] it may be used to sign other certificates Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CAit is a CA certificate example

Security Tutorial - n° 25 Service: Revocation List  openssl crl -in c35c1972.r0 –text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=CH/O=CERN/CN=CERN CAthe issuer is the CA itself Last Update: Jul 1 17:53: GMT Next Update: Aug 5 17:53: GMTnext update: shall be checked Revoked Certificates: Serial Number: 5Athe revoced certificate’s number Revocation Date: May 24 16:45: GMT Signature Algorithm: md5WithRSAEncryptionSignature – as usual example

Security Tutorial - n° 26 Authorization Information CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

Security Tutorial - n° 27 Gridmap file: configuration  cat /etc/grid-security/mkgridmap.conf auth ldap://marianne.in2p3.fr/ou=People,o=testbed,dc=eu-datagrid,dc=org # EDG Standard Virtual Organizations group ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org.alice group ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org.atlas group ldap://grid-vo.nikhef.nl/ou=tb1users,o=cms,dc=eu-datagrid,dc=org.cms group ldap://grid-vo.nikhef.nl/ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org.lhcb group ldap://grid-vo.nikhef.nl/ou=tb1users,o=biomedical,dc=eu-datagrid,dc=org.biome group ldap://grid-vo.nikhef.nl/ou=tb1users,o=earthob,dc=eu-datagrid,dc=org.eo group ldap://marianne.in2p3.fr/ou=ITeam,o=testbed,dc=eu-datagrid,dc=org.iteam group ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org.wpsix default_lcluser AUTO example

Security Tutorial - n° 28 Generated Gridmap file  cat /etc/grid-security/gridmap "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro "/C=IT/O=INFN/L=Bologna/CN=Franco aliprod "/C=IT/O=INFN/L=Bologna/CN=Marisa aliprod "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon "/C=FR/O=CNRS/OU=LPC/CN=Yannick yannick example

Security Tutorial - n° 29 Using a Service CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host/proxy certs exchanged host-request grid-cert-request ca-certificate crl cert/crl update

Security Tutorial - n° 30 Summary Obtaining a certificate from a CA see for CAshttp://marianne.in2p3.fr/datagrid/ca/  new certificate: grid-cert-request n new files in ~/.globus: usercert_request.pem userkey.pem  mail it to the appropriate CA (e.g.  save the answer n ~/.globus/usercert.pem  new proxy certificate: grid-proxy-init n /tmp/x509up_u -> You have a certificate signed by an EDG CA.

Security Tutorial - n° 31 Further Information Grid  EDG CAs:  Globus Security:  EDG WP2: management/security/ management/security/  EDG D7.5: Background  GGF Security:  GSS-API: 84.htmlhttp:// 84.html  IETF PKIX charter: charter.htmlhttp:// charter.html  PKCS: